We have personal identification numbers (PINs) to access our bank accounts and credit cards, passwords to protect our E-mail and Internet transactions, and bar codes and magnetic strips to guard our personal and financial information. But do these measures offer enough security?

UW-Madison Professor of Biomedical EngineeringWillis Tompkins thinks not. "There's more and more identity theft going on," he says. And for most people, remembering a multitude of PINs and passwords means writing them down, then storing them in a purse or wallet — right next to the cards or information they guard. "Basically, the card is your identity. When somebody has it, if they know the PIN number in the card, they have your identity," he says.

Tompkins is one of a growing group of researchers interested in using biometrics — measurable anatomical, physiological or behavioral traits — to verify identity. Already technologies exist that scan fingerprints, hands, irises, retinas and faces, or analyze a voice or signature. Tompkins hopes to add electrocardiogram (ECG) recognition to the mix.

Current biometrics identity verification technologies boast a host of applications, from safeguarding international borders and controlling access to facilities to protecting financial transactions and verifying work attendance. However those tools also have faults. Fingerprint readers can fail in dirty environments, facial geometry scanners can be fooled by disguises or pictures, signatures can change over time, retinal scans apply bright light that may damage the eye, and some systems are too expensive to be practical.

ECG readers, which exercise enthusiasts already can find on a variety of equipment at the gym, have the potential both to hurdle the price barrier and accuracy concerns, says Tompkins.

While a physician-administered ECG gathers the heart's electrical activity through 10 electrodes attached to the patient's arms, legs and chest, Tompkins is focusing only on the signal measured between the two hands. "It doesn't matter whether you record the ECG between your palms, wrists or shoulders, or from the chest — it's the same basic signal," he explains.

That means he could design a reader on which the subject places his or her hands or fingertips, or a wearable "belt" that captures the signal and transmits it to a reader via radio waves. "We're hoping to do it with one heartbeat, which is about one second," says Tompkins. But a more practical solution is to monitor five to 10 beats, he says. That data would be stored on a computer chip embedded in your "smart cards" — everything from credit and debit cards to IDs.

Either the reader or the belt would cost about $150 and offer information security in a largely foolproof manner. "The advantage of the ECG is it's dynamic — there clearly has to be a living person there," says Tompkins.

For now, however, he is working with biomedical engineering graduate student Tsu-Wang David Shen and Electrical and Computer Engineering Associate Professor Yu Hen Hu to test the theory that each person's ECG is unique. They have developed an algorithm that has analyzed 20 people's ECGs and identified each correctly. "The next step is to build a real system and capture data from a wide variety of people and then see if it could work in a real environment," says Tompkins. That larger sample would include people with both normal and abnormal heartbeats — including those with pacemakers, whom he believes also have unique heartbeats.

In addition to their information security applications, hospitals also could use ECGs to ensure patients receive correct treatments and medications. Ultimately, however, Tompkins hopes ECG identity verification will used in tandem with such technologies as fingerprint or facial geometry recognition. "Combining two or more biometric strategies should improve the accuracy obtainable by using either one by itself," he says.